Detect IIS Components in IBM QRadar
Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.004 IIS Components
- Canonical reference
- https://attack.mitre.org/techniques/T1505/004/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"username",
"sourceip" AS host_ip,
QIDNAME(qid) AS event_name,
"EventID",
CASE
WHEN "EventID" = '13' AND ("TargetObject" ILIKE '%W3SVC%' OR "TargetObject" ILIKE '%ISAPI Filter%' OR "TargetObject" ILIKE '%ISAPI Extension%' OR "TargetObject" ILIKE '%GlobalModules%' OR "TargetObject" ILIKE '%inetsrv%') AND "Details" ILIKE '%.dll%'
THEN 'IIS_Component_Registration'
WHEN "EventID" = '11' AND ("TargetFilename" ILIKE '%\\system32\\inetsrv%' OR "TargetFilename" ILIKE '%\\inetpub%' OR "TargetFilename" ILIKE '%\\inetsrv%') AND "TargetFilename" ILIKE '%.dll' AND NOT ("Image" ILIKE '%msiexec.exe%' OR "Image" ILIKE '%setup.exe%' OR "Image" ILIKE '%pkgmgr.exe%' OR "Image" ILIKE '%TiWorker.exe%' OR "Image" ILIKE '%TrustedInstaller.exe%' OR "Image" ILIKE '%wusa.exe%' OR "Image" ILIKE '%dism.exe%')
THEN 'IIS_Dir_DLL_Write'
WHEN "EventID" = '7' AND "Image" ILIKE '%w3wp.exe%' AND ("ImageLoaded" ILIKE '%\\Users\\%' OR "ImageLoaded" ILIKE '%\\Temp\\%' OR "ImageLoaded" ILIKE '%\\ProgramData\\%' OR "ImageLoaded" ILIKE '%\\AppData\\%' OR "ImageLoaded" ILIKE '%\\Windows\\Temp\\%') AND "ImageLoaded" ILIKE '%.dll'
THEN 'IIS_Non_Standard_Module_Load'
ELSE NULL
END AS detection_type,
"Image" AS initiating_process,
"CommandLine",
"TargetObject" AS registry_key,
"Details" AS registry_value,
"TargetFilename" AS file_path,
"ImageLoaded" AS loaded_dll
FROM events
WHERE logsourcetypeid = 1011
AND "EventID" IN ('7', '11', '13')
AND CASE
WHEN "EventID" = '13' AND ("TargetObject" ILIKE '%W3SVC%' OR "TargetObject" ILIKE '%ISAPI Filter%' OR "TargetObject" ILIKE '%ISAPI Extension%' OR "TargetObject" ILIKE '%GlobalModules%' OR "TargetObject" ILIKE '%inetsrv%') AND "Details" ILIKE '%.dll%' THEN 1
WHEN "EventID" = '11' AND ("TargetFilename" ILIKE '%\\system32\\inetsrv%' OR "TargetFilename" ILIKE '%\\inetpub%' OR "TargetFilename" ILIKE '%\\inetsrv%') AND "TargetFilename" ILIKE '%.dll' AND NOT ("Image" ILIKE '%msiexec.exe%' OR "Image" ILIKE '%setup.exe%' OR "Image" ILIKE '%pkgmgr.exe%' OR "Image" ILIKE '%TiWorker.exe%' OR "Image" ILIKE '%TrustedInstaller.exe%') THEN 1
WHEN "EventID" = '7' AND "Image" ILIKE '%w3wp.exe%' AND ("ImageLoaded" ILIKE '%\\Users\\%' OR "ImageLoaded" ILIKE '%\\Temp\\%' OR "ImageLoaded" ILIKE '%\\ProgramData\\%' OR "ImageLoaded" ILIKE '%\\AppData\\%') AND "ImageLoaded" ILIKE '%.dll' THEN 1
ELSE 0
END = 1
AND LOGSOURCETIME(starttime) > DATEADD('hour', -24, NOW())
ORDER BY starttime DESCQRadar AQL query targeting Sysmon operational logs (logsourcetypeid 1011) to detect malicious IIS component installation. Identifies three patterns: registry value writes to IIS configuration paths containing DLL references (EventID 13), DLL file creation in IIS directories by non-authorized installer processes (EventID 11), and w3wp.exe loading DLLs from user-writable non-standard locations (EventID 7).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software deployment tools writing IIS modules during scheduled maintenance windows — coordinate with change management to suppress known-good deployment processes
- Web Application Firewall agents or APM monitoring tools (New Relic, AppDynamics) that register as ISAPI filters and may load from non-standard installation directories
- Development environments where developers have write access to IIS directories and load test DLLs from their user profile folders during active development
Other platforms for T1505.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List IIS Global Modules (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.
- Test 2Write Test DLL to IIS Directory
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.
- Test 3Check applicationHost.config for Module Registrations
Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.
References (5)
- https://attack.mitre.org/techniques/T1505/004/
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/
- https://www.crowdstrike.com/blog/iceapple-a-novel-internet-information-services-post-exploitation-framework/
- https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
Unlock Pro Content
Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.